All Products
Search

This Product

    Elastic GPU Service:Connect to a Linux instance by using a password or key

    Document Center

    Elastic GPU Service:Connect to a Linux instance by using a password or key

    Last Updated:Mar 11, 2024

    Workbench is a more efficient and convenient connection tool than Virtual Network Computing (VNC) and allows multiple users to connect to a single Elastic Compute Service (ECS) Linux instance at the same time. Workbench supports the following authentication methods for logons to ECS instances: password-based authentication, SSH key pair-based authentication, temporary SSH key pair-based authentication, and credential-based authentication.

    Prerequisites

    • A service-linked role for Workbench is created. The first time you use Workbench to connect to a Linux instance, you are prompted to create a service-linked role for Workbench. For more information, see Workbench service-linked role.

      Important

      When you use Workbench to connect to a Linux instance as a Resource Access Management (RAM) user, make sure that you attach the AliyunECSWorkbenchFullAccess policy to the RAM user to grant permissions to the RAM user. Otherwise, an error message indicating that you do not have the required permissions is displayed. For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

    • A logon password is configured for or a key pair is bound to the Linux instance to which you want to connect. For more information, see Reset the logon password of an instance or Bind an SSH key pair.

    • The Linux instance is in the Running state.

    • Cloud Assistant Agent is installed on the Linux instance. For more information, see Install Cloud Assistant Agent.

    • Security group rules that allow the IP addresses related to Workbench to access the Linux instance are added. The security group rules vary based on the network type of the Linux instance.

      Instance that resides in a VPC

      If you want to connect to a Linux instance that resides in a virtual private network (VPC), find a security group to which the instance belongs, go to the Security Group Details page, and then add a rule on the Inbound tab. The following table describes the parameters that you must configure for the rule.

      Action

      Priority

      Protocol type

      Port range

      Authorization object

      Allow

      1

      Custom TCP

      • To open the default port 22 on the Linux instance, select SSH (22).

      • To open other ports on the Linux instance, specify a port range.

      • To connect to the Linux instance by using the auto-assigned public IP address or elastic IP address (EIP) that is associated with the instance, specify 161.117.90.22.

      • To connect to the Linux instance by using the private IP address of the instance, specify 100.104.0.0/16.

      Warning

      You can specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this exposes the instance to security risks. Proceed with caution.

      Instance that resides in the classic network

      • If you want to connect to a Linux instance that resides in the classic network over the Internet, find a security group to which the instance belongs, go to the Security Group Details page, and then add a rule on the Internet Ingress tab. The following table describes the parameters that you must configure for the rule.

        Action

        Priority

        Protocol type

        Port range

        Authorization object

        Allow

        1

        Custom TCP

        • To open the default port 22 on the Linux instance, select SSH (22).

        • To open other ports on the Linux instance, specify a port range.

        To connect to the Linux instance by using the auto-assigned public IP address or EIP that is associated with the instance, specify 161.117.90.22.

        Warning

        You can specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this exposes the instance to security risks. Proceed with caution.

      • If you want to connect to a Linux instance that resides in the classic network over the internal network, find a security group to which the instance belongs, go to the Security Group Details page, and then add a rule on the Inbound tab. The following table describes the parameters that you must configure for the rule.

        Action

        Priority

        Protocol type

        Port range

        Authorization object

        Allow

        1

        Custom TCP

        • To open the default port 22 on the Linux instance, select SSH (22).

        • To open other ports on the Linux instance, specify a port range.

        To connect to the Linux instance that resides in the classic network by using the internal IP address of the instance, specify 161.117.90.22.

        Warning

        If you specify 0.0.0.0/0 as the authorization object, high security risks may arise. We recommend that you do not specify 0.0.0.0/0.

    Procedure

    By default, a Workbench remote connection persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the Linux instance.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Instance page, find the Linux instance to which you want to connect. In the Actions column, click Connect.

    5. In the Remote connection dialog box, click Sign in now in the Workbench section.

    6. In the Instance Login dialog box, configure the parameters.

      The following table describes the required parameters.

      Parameter

      Description

      Instance

      The information of the current instance is automatically populated. You can enter the IP address or name of another instance.

      Connection

      • To connect to a Linux instance that resides in a VPC, use the public or private IP address of the instance.

      • To connect to a Linux instance that resides in the classic network, use the public or internal IP address of the instance.

      For information about different network types, see Overview and IP addresses of ECS instances in the classic network.

      Authentication

      Select an authentication method. The following authentication methods are supported:

      • Password-based: Enter a username, such as root or ecs-user, and a password.

      • SSH Key Authentication: Enter a username, such as root or ecs-user, and then enter or upload a private key file. If the private key file is encrypted, enter the passphrase of the private key.

      • Credential-based: Select or create a credential.

        Credentials are used to store instance information, such as usernames, passwords, and keys. You can use credentials to log on to instances in a secure manner without the need to enter usernames and passwords. If no credentials exist for a Linux instance in Workbench, create a credential for the instance. For more information, see the Create a credential to allow password-free logon section of this topic.

      • Temporary SSH Key-based: Enter a username, such as root or ecs-user. By default, the root username is used.

        Note

        Temporary SSH Key-based authentication is implemented by using common Cloud Assistant commands.

        1. When you log on to a Linux instance by using Workbench, a temporary SSH key pair is generated that has a validity period of 1 minute.

        2. Cloud Assistant calls the InvokeCommand operation to run the common commands named ACS-ECS-EnableSshPublicKey-linux.sh and ACS-ECS-SendSshPublicKey-linux.sh to send the public key of the temporary key pair to the Linux instance. In the Linux instance, the public key is delivered to Cloud Assistant Agent.

        3. You are logged on to the Linux instance by using Workbench with the temporary SSH key pair.

        Workbench does not store the key pair to the database. When the key pair expires, Workbench generates another key pair to maintain the logon connection.

      In the lower part of the dialog box, click More Options to show the optional parameters. The following table describes the parameters.

      Parameter

      Description

      Resource Group

      By default, All is selected. You can select a resource group from the drop-down list.

      Region

      By default, All is selected. You can select a region from the drop-down list.

      Protocol

      By default, Terminal Connection (SSH) is selected.

      Note

      To use Remote Desktop (RDP) to connect to the Linux instance, install a Remote Desktop Protocol (RDP) service such as xrdp and a graphical desktop on the instance. For information about how to install a graphical desktop on a Linux instance, see Installing a graphical desktop environment for a Linux instance.

      Port

      If you set Protocol to Terminal Connection (SSH), this parameter is automatically set to 22.

      If you specify a different port as the remote connection port, enter the port number.

      Note

      If you set Protocol to Remote Desktop (RDP), this parameter is automatically set to 3389.

      Language

      Select your preferred language. The selected language affects the outputs of the Linux instance. We recommend that you select Default. This way, Workbench detects the language settings of the Linux instance and configures appropriate settings.

      Character Set

      Select your preferred character set. The selected character set affects the outputs of the Linux instance. We recommend that you select Default. This way, Workbench detects the character set settings of the Linux instance and configures appropriate settings.

    7. Click OK.

    If all prerequisites are met but the Linux instance cannot be connected, perform the following checks on the instance:

    • Check whether the sshd service, such as sshd in Linux, is enabled. If the sshd service is disabled, enable the service.

    • Check whether the required SSH port, commonly port 22, is open. If the required SSH port is closed, open the port.

    • To use the root username to log on to the Linux instance, make sure that the /etc/ssh/sshd_config file contains the PermitRootLogin yes and PasswordAuthentication yes settings. For more information, see the Enable root logon over SSH on a Linux instance section of this topic.

    Create a credential to allow password-free logon

    This section describes how to create a credential for a Linux instance in Workbench. After you create a credential, you can use the credential for authentication when you log on to the Linux instance.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the instance list page, find the Linux instance to which you want to connect. In the Actions column, click Connect.

    5. In the Remote connection dialog box, click Sign in now in the Workbench section.

    6. In the Instance Login dialog box, configure the parameters.

    7. Create a credential.

      1. The following table describes the required parameters.

        Parameter

        Description

        Instance

        The information of the current instance is automatically populated. You can select another instance from the drop-down list.

        Connection

        • To connect to a Linux instance that resides in a VPC, use the public or private IP address of the instance.

        • To connect to a Linux instance that resides in the classic network, use the public or internal IP address of the instance.

        Authentication

        1. Select Credential-based.

        2. Select Create Credential from the Credential drop-down list.

      2. In the Add Credential dialog box, configure the parameters. The following table describes the parameters.

        Parameter

        Description

        Credential Name

        Enter a name for the credential.

        Username

        Enter a username, such as root or ecs-user.

        Credential Type

        Select a credential type. Valid values:

        • Password: If you select this value, you must enter the logon password of the Linux instance.

        • Private Key: If you select this value, you must enter or upload a private key file. If the private key file is encrypted, enter the passphrase of the private key.

        Material Name

        Enter a name for the authentication material.

        Password

        Enter the logon password of the Linux instance.

        Fingerprint

        The fingerprint is automatically generated based on the authentication material.

      3. Click OK.

    8. In the Instance Login dialog box, select the credential that you created from the Credential drop-down list and click OK.

    Enable root logon over SSH on a Linux instance

    In specific Linux operating systems, sshd disables root logon by default. In this case, you are prompted that your username or password is invalid when you attempt to connect to a Linux instance as root over SSH. To enable root logon over SSH on a Linux instance, perform the following steps:

    1. Connect to the Linux instance by using VNC.

      For more information, see Connect to an instance by using VNC.

    2. Open the SSH configuration file. 

      vim /etc/ssh/sshd_config

    3. Press the I key to enter Insert mode.

    4. Set the PermitRootLogin and PasswordAuthentication parameters to yes, as displayed in the following lines: 

      PermitRootLogin yes
PasswordAuthentication yes

    5. Press the Esc key and enter :wq to save the changes.

    6. Restart sshd. 

      systemctl restart sshd.service